On 10/22/2011 11:52 AM, John Gorkos wrote: > I've been handed a requirement to created nested groups in our LDAP directory > for our Posix logins to ease our admin load. We are using RHEL6.1 and SSSD > 1.5.x from Redhat, along with OpenLDAP 2.4.x. I have loaded up a test VM > with > all the appropriate software, but for the life of me I can't make it work. > > For starters, I'm using the rfc2307bis schema, meaning I want a groupOfNames > with member attributes that are complete DNs. > I've included all the appropriate files/config at the end of this email, but > the > base premis is this: > I have an ou=People organizational group with four users (Alpha, Bravo, > Charlie, and Delta). Each is an inetOrgPerson and posixAccount with a > gidNumber of 1000 and a uidNumber of 10001-10004. > I have an ou=Groups organizational group with two posixGroup groups > (cn=Fruits > and cn=Nuts) with gidNumbers of 1001 and 1002. At the same level, I have 8 > more groups (Apple, Banana, Cherry, Date and Almond, Brazil, Cashew and > Doughnut). These are just groupOfNames object, not posixGroups. As you > would > expect, Fruits' members list will contain cn=[Apple|Banana|Cherry| > Date],ou=Groups,dc=example,dc=com and Nuts' members list will contain > cn=[Almond|Brazil|Cashew|Doughnut],ou=Groups,dc=example,dc=com. > We'll start off my example without them, and add them as needed. > Also, just for completeness, there is a cn=Users,ou=Groups entry with > gidNumber=1000 (for the default group of each user). > > Now, the fun part. I want to have user Alpha be a Fruit. So, I add his dn > to > cn=Fruits: > dn: cn=Fruits,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: posixGroup > gidNumber: 1001 > cn: fruits > member: cn=User Alpha,ou=People,dc=example,dc=com > > (here's user alpha's definition) > dn: cn=User Alpha,ou=People,dc=example,dc=com > objectClass: inetOrgPerson > objectClass: posixAccount > cn: User Alpha > sn: Alpha > gidNumber: 1000 > homeDirectory: /home/alpha > uidNumber: 10001 > uid: alpha > > > I ask NSS about him, and I get this: > # id alpha > uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) > > Well, that's great. Now lets add him to nuts, too: > # ldapsearch -xLLL cn=nuts > dn: cn=Nuts,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: posixGroup > gidNumber: 1002 > cn: nuts > member: cn=User Alpha,ou=People,dc=example,dc=com > > And now he's a fruit and a nut. Perfect. > > # id alpha > uid=10001(alpha) gid=1000(users) groups=1000(users),1002(nuts),1001(fruits) > > > In my organization, there are lots of nuts. We'd like to categorize our nuts > a little better, and User Alpha is definitely a Doughnut. So, we'll take him > our of the cn=Nuts group and put him in cn=Doughnut. > After just adding him to cn=Doughnut, we don't expect that list to show up in > the nss list of groups, because Doughnut is not a posixGroup. Here's the > list > structure so far: > > dn: cn=Nuts,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: posixGroup > gidNumber: 1002 > cn: nuts > > dn: cn=Doughnut,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > cn: doughnut > member: cn=User Alpha,ou=People,dc=example,dc=com > > # id alpha > uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) > > Perfect. He's still a fruit, but not yet a nut. > Now, the kicker. According to my understanding, I should be able to put > cn=Doughnut,ou=Groups,dc=example,dc=com into the member list of > cn=Nuts,ou=Groups,dc=example,dc=com and our buddy User Alpha should become > part of posix group nuts: > > dn: cn=Nuts,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > objectClass: posixGroup > gidNumber: 1002 > cn: nuts > member: cn=Doughnut,ou=Groups,dc=example,dc=com > > dn: cn=Doughnut,ou=Groups,dc=example,dc=com > objectClass: groupOfNames > cn: doughnut > member: cn=User Alpha,ou=People,dc=example,dc=com > > But alas: > # id alpha > uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) > > And this is where the gnashing of teeth, pulling of hair, and wailing begin. > # getent group > root:x:0:root > ... > users:*:1000: > fruits:*:1001:alpha > nuts:*:1002: > > # getent group nuts > nuts:*:1002: > > This one really puzzles me: > # sss_groupshow fruits > Error initializing the tools - no local domain > > So, that's where I stand, on the brink between success and failure. On the > precipitice of unemployment, and I beseech the wisdom of the crowd to rescue > me. Somewhere in the following sssd.conf file, or in my LDAP schema, or in > SOMETHING, I'm missing a line, or have something misconfigured. I'm at your > collective mercy. > > sssd.conf: > [sssd] > config_file_version = 2 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = LDAP > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > entry_cache_timeout = 60 > entry_cache_nowait_timeout = 30 > enum_cache_timeout = 30 > > [pam] > reconnection_retries = 3 > > [domain/LDAP] > ldap_uri = ldap://smbtest2 > auth_provider = ldap > id_provider = ldap > chpass_provider = ldap > te = true > entry_cache_timeout = 10 > cache_credentials = false > ldap_id_use_start_tls = True > ldap_schema = rfc2307bis > ldap_search_base = dc=example,dc=com > ldap_tls_cacert = /etc/pki/tls/certs/slapdcert.pem > ldap_enumeration_refresh_timeout = 10 > ldap_purge_cache_timeout = 10 > ldap_group_nesting_level = 5 > debug_level = 5 > > /etc/nsswitch.conf: > # > passwd: files sss > shadow: files sss > group: files sss > > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > /etc/ldap.conf (even though it should not be used, because SSS is handling > NSS) > base dc=example,dc=com > uri ldap://smbtest2 > ldap_version 3 > > scope sub > > restart yes > pam_template_login_attribute uid > pam_password md5 > bind_policy soft > network_timeout 5 > timelimit 10 > bind_timelimit 10 > tls_cacertfile /etc/pki/tls/certs/slapdcert.pem > ssl start_tls > nss_schema rfc2307bis > nss_base_netgroup ou=Netgroups,dc=example,dc=com > > nss_connect_policy persist > nss_map_attribute uniqueMember member > > I have slightly modified the LDAP schemas to allow for empty groupOfNames > (i.e. > no members), and to make RFC2307bis work. > > Any other files, debug output, logs, etc are available on request. If I > don't > get this working, we'll wind up having to use netgroups and nis-like > construts, which I feel is a giant step backward in time. Finally, I realize > this is a "devel" list and not an "end user help" list, but I'm unsure of > where else to turn. > > Thanks in advance. > John Gorkos > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel
Hello John, I will leave it to the mighty engineers to help you with this situation. Just couple comments: sss_* utilties are for local domain only. It is a local (internal to machine) domain defined inside SSSD (like files, just uses SSSD local DB). You do not have this one initialized (and you do not need to) this is why you get an error. It is irrelevant to the broblem you are observing. Please have the logs with high debug level ready, you might be asked for them. What is the exact version of the sssd you have? A lot of nesting related work has been done in 1.6.x so I wonder if it is worth trying with the latest. But I will refrain from advising it before others chimed in. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
